gov.uk 


International data transfers: building trust, delivering growth and firing up 
innovation 


Ministerial foreword 


The importance of international data transfers 


Our hyper-connected world is reliant on data transfers. Everyday conveniences such as GPS 
navigation, wearable technology, smart home technologies, and content streaming services rely on 
data transfers. This enriches our lives, enables us to make informed choices, and helps us use our 
time more efficiently. International data transfers: 


¢ drive international commerce, trade and development. International data transfers 
underpin modern day business transactions and financial institutions. They help streamline 
supply chain management and allow businesses to scale and trade globally. In 2018 the UK 


exported £190 billion in services delivered digitally and in 2019, investments in the UK tech 
sector soared to £10.1bn — a £3.1bn increase on 2018’s figures and the highest level in UK 
history. 

* underpin innovation, research and development across multiple sectors. The health 
sector, universities, and other institutions use research data to fire up Al-powered systems 
that can cross-reference clinical queries with insights from millions of medical studies from 
around the world. This supports the delivery of better diagnoses, more cost-effective bio- 
pharmaceutical research, and the development of new life-saving treatments. 

* support international cooperation, including for international trade, law enforcement, and 
national security. Real-time and collaborative data sharing supports cooperation at countries’ 
borders and helps keep the public safe. In the financial sector, service providers analyse data 
generated across the world to detect patterns, identify and stop fraudulent transactions, and 
help combat other criminal behaviour. 

* enable us to stay emotionally and socially connected to one another. This was most 
keenly felt during the height of the COVID-19 pandemic. We were able to stay in touch with 
our friends and families and remain a part of our communities. 


The UK has a unique opportunity — as a world leader in digital, and a champion of free trade and 
the rules-based international system — to be a global force for good when it comes to international 
data transfers. 


The UK has a long and proud tradition of defending privacy rights. In the 1970s, the UK developed 
pioneering committees to explore the protection of personal data. In 1984 the UK passed the first 
Data Protection Act. More recently, the UK played an active role in developing the EU General 
Data Protection Regulation (GDPR) and Law Enforcement Directive (LED). The UK government 
remains committed to high standards of data protection, not just in the UK but also to when that 
data is transferred overseas. 


There is a great opportunity for the UK to make use of its independent powers. As we have set out 
in our National Data Strategy, we are committed to championing international flows of data. We 
will make full use of our new powers, working globally to strike data adequacy agreements with our 
partners, to deliver innovative alternative mechanisms and remove unjustified barriers to 
international data transfers. In doing so we want to shape global thinking and promote the benefits 
of secure international exchange of data. This will be integral to global recovery and future growth 
and prosperity. 


Our plans are ambitious and diverse. This is reflected in the UK’s flexible approach to adequacy, 
including our list of priority destinations for UK adequacy and, our creative approach to designing 
globally interoperable transfer mechanisms. 


There is a huge opportunity to build data bridges with our partners by being collaborative and 
pursuing an outcomes-based approach to international data transfers. This is one important part of 
the government’s wider ambition for a thriving, fast-growing digital sector in the UK, underpinned 
by public trust. We want the UK to be a nation of digital entrepreneurs, innovators and investors - 
the best place in the world to start and grow a digital business, as well as the safest place in the 
world to go online. 


This Mission Statement sets out actions this government will take to support international data 
transfers. We set out how we will seize the new opportunities and the work that we must prioritise 
now. As always, our door is open. To make this work a success, it is important that we hear from — 
and work with — national and international stakeholders. 


The Rt. Hon. Oliver Dowden CBE MP 
Secretary of State for Digital, Culture, Media and Sport 


The Rt. Hon. John Whittingdale OBE MP 
Minister of State (Minister for Media and Data) 


UK adequacy 


(i) Overview 


Now the UK has left the EU, we are able to independently strike data adequacy decisions with our 
international partners. 


Data ‘adequacy’ is a status granted by the UK to countries which provide high standards of 
protection for personal data. An ‘adequacy’ determination means that personal data can be 
transferred from the UK to that country freely, in accordance with the terms of the relevant 
adequacy decision. 


UK adequacy is granted by a Secretary of State. As well as designating a country to be adequate, the 
Secretary of State can also designate territories within a country, sectors of an economy, and 
international organisations as adequate. 


UK adequacy is the most efficient way to freely transfer personal data as it removes the need for 
UK organisations to use alternative transfer mechanisms, which can be costly to implement. 
Adequacy can also provide consumers and organisations greater certainty and confidence in the 
regulatory landscape of another country. 


The UK adequacy process and associated suite of documentation seeks to ensure that the UK can be 
robust and systematic, creating the conditions to deliver on a scale that matches HMG ambitions 
while ensuring high data protection standards are maintained. 


The UK has designed and implemented independent policies and processes for striking UK 
adequacy agreements, and is progressing work to deliver UK adequacy arrangements in line with 
our global ambitions and commitment to high standards of data protection. Doing so will provide 
both UK organisations and our international partners with more straightforward and comprehensive 
mechanisms for international data transfers. 


The UK is working in partnership with a number of priority destinations for adequacy. These 
priorities span the globe and reflect the scale of our ambitions. Data enabled services to these 
destinations are already worth more than £80 billion. 


New partnerships will unlock more growth and allow us to share crucial information, such as life- 
saving research and cutting-edge technology innovation across our borders. 


The UK’s list of priority destinations for adequacy 


Australia Brazil Colombia 
The Dubai International Financial Centre India Indonesia 
Kenya The Republic of Korea Singapore 


The United States of America 
See detailed map of UK data partnerships. 


Case study: 


Data-fuelled technology is transforming important sectors of the economy and society and, in doing 
so, is providing tangible benefits for both people and businesses. In a globally-connected world, 
scientific endeavours are increasingly international and underpinned by the flow of data. 


International data transfers enable researchers and organisations like Congenica to better understand 
and diagnose rare genetic diseases, and to identify links between health and lifestyle factors and the 
incidence of such diseases. Data transfers unlock access to vital datasets from laboratories and 
research institutions worldwide enhancing the speed and scope of Congenica’s life-saving 
innovation, and supporting collaboration and the exchange of ideas. 


Secure and seamless personal data transfers are essential for running clinical trials like the Oxford 
AstraZeneca vaccine development. Patient data and test results need to be routinely transferred 
across international borders from trial sites to researchers conducting the analysis. International 
agreements on data will make it easier for UK scientists to conduct trials with diverse, global 
patient data sets. This is especially crucial for research into rare and childhood diseases, as due to 
the nature of these diseases, patient data is required from many different countries in order to have 
robust and scientifically sound sample sizes. As well as improving the quality of the scientific 
research and boosting the UK’s position as a scientific superpower, international data partnerships 
will make these vital clinical trials more cost effective, freeing up resources for the work that 
matters. 


The UK’s adequacy list 
The following are deemed adequate for the purposes of the UK GDPR (as at 01/01/21). 


EU Member States and European Economic Area Members 


Austria Greece Norway 
Belgium Hungary Poland 
Bulgaria Iceland Portugal 
Croatia Ireland Romania 
Cyprus Italy Slovakia 
Czech Republic Latvia Slovenia 
Denmark Liechtenstein Spain 
The EU institutions Lithuania Sweden 
Finland Luxembourg 

France Malta 

Germany Netherlands 


4 


Other adequate countries, jurisdictions and territories 


Andorra Isle of Man Gibraltar 
Argentina Japan Switzerland 
Canada (partial) Jersey Uruguay 
Guernsey Faroe Islands 

Israel New Zealand 


Latest guidance on adequate countries from the Information Commissioner’s Office. 


(ii) The ‘test’ for adequacy 

The test for adequacy provided for in the UK GDPR is that when personal data is transferred 
internationally, the level of protection under the UK GDPR is not undermined. To determine this, 
we will consider the overall effect of a third country’s data protection laws, implementation, 
enforcement, and supervision. 


When understanding how a third country protects personal data we will - amongst other things - 
take into account the following factors: 


¢ The rule of law, respect for human rights and fundamental freedoms; 
¢ The existence and effective functioning of an independent regulator; and 
¢ Relevant international commitments. 


We understand the responsibility that governments have to keep their citizens safe. We will take a 
respectful and considerate approach, noting that necessary and proportionate interference with the 
right to privacy can be justified in order to protect the public and is compatible with high standards 
on privacy. 


What does the law say? 


When assessing the adequacy of the level of protection for the purposes of sections 17A (and 74A) 
and 17B(12) (and 74B) of the Data Protection Act 2018, the Secretary of State shall in particular, 
take account of the following elements: 


a). The rule of law, respect for human rights and fundamental freedoms, relevant legislation, both 
general and sectoral, including concerning public security, defence, national security and criminal 
law and the access of public authorities to personal data, as well as the implementation of such 
legislation, data protection rules, professional rules and security measures, including rules for the 
onward transfer of personal data to another third country or international organisation which are 
complied with in that country or international organisation, case-law, as well as effective and 
enforceable data subject rights and effective administrative and judicial redress for the data subjects 
whose personal data are being transferred; 


b). The existence and effective functioning of one or more independent supervisory authorities in 
the third country or to which an international organisation is subject, with responsibility for 
ensuring and enforcing compliance with the data protection rules, including adequate enforcement 
powers, for assisting and advising the data subjects in exercising their rights and for cooperation 
with the [Information] Commissioner; and 


c). The international commitments the third country or international organisation concerned has 
entered into, or other obligations arising from legally binding conventions or instruments as well as 
from its participation in multilateral or regional systems, in particular in relation to the protection of 
personal data. 


(iii) The procedure 


There are four phases of work for UK adequacy: (1) Gatekeeping, (2) Assessment, (3) 
Recommendation, and (4) Procedural. 


Gatekeeping: consideration of whether to commence an adequacy assessment in respect of a 
country, by reference to policy factors reflecting UK interests. Policy factors which will be 
considered include the trade and diplomatic relationship between the UK and the third country 
together with an initial, high-level overview of the data protection rules in the third country and the 
existence of bodies that independently oversee compliance. 


Assessment: collection and analysis of information relating to the level of data protection in 
another country. The UK adequacy team will conduct this work systematically to collect 
information on a third country’s relevant data protection laws and practices, including working 
(where appropriate) with external in-country legal experts and third country partners. 


(i) The Manual Template is a document containing questions that guide the collection of relevant 
information relating to a country’s data protection. The questions are based on key principles of the 
safeguards in the UK GDPR, while recognising that countries protect personal data in different 
ways. Answers to the questions - together with further information and analysis - provide relevant 
detail and evidence of how effectively personal data is protected in legislation and in practice. 


(ii) The Manual Guidance provides users with a guide to filling out the Manual Template, 
supporting the identification and recording of relevant information. 


Recommendation: the UK adequacy team make a recommendation to the Secretary of State who 
will, after consulting the Information Commissioner and any others considered appropriate, decide 
whether to make a determination of adequacy in respect of a specific country. 


Procedural: making relevant regulations - and laying these in Parliament - to give legal effect to an 
adequacy determination of the Secretary of State. 


The Role of the Information Commissioner’s Office. The Information Commissioner’s Office 
(ICO) is the UK’s independent data protection regulator, and has responsibility - amongst other 
things - for advising UK data controllers on compliance with UK data protection law. This includes 
the provision of guidance on legal bases for international data transfers. 


In making and laying UK adequacy regulations, the Secretary of State must consult the Information 
Commissioner. A Memorandum of Understanding has been agreed between the Secretary of State 
for Digital, Culture, Media and Sport and the Information Commissioner which sets out the agreed 
understanding of the ICO’s roles and responsibilities in relation to UK adequacy assessments. 


DCMS - ICO memorandum of understanding 


¢ The ICO’s role in relation to UK adequacy work — in line with its independent regulatory 
role and statutory responsibilities — includes, where appropriate: 


(i) During the Gatekeeping and Assessment phases , when engaged by officials in DCMS: 
providing comments and advice to DCMS officials, including via provision of relevant 
factual information that relate to a country’s data protection laws and practices (e.g. the role 
and effectiveness of the relevant country’s regulator); 


(ii) During the Recommendation phase : providing a response on the draft conclusions of 
a DCMS assessment so that the Commissioner’s view can be included in the 
recommendation to the Secretary of State and factored into their decision making. In 
forming its view, the ICO will consider, amongst other factors, the features of a country’s 
data protection laws and practices in the round, recognising that different countries have 
different ways of ensuring adequate levels of data protection; and 


(iii) During the Procedural phase : providing advice and/or an opinion to Parliament, 
including on the process followed and the factors taken into consideration by the DCMS 
adequacy assessment team and the Secretary of State. 


More information on the ICO’s role in UK adequacy work. 


The role of Parliament. To give legal effect to a decision to specify a country as ‘adequate’, the 
Secretary of State must make regulations and lay these in Parliament. Once laid in Parliament, these 
regulations will be subject to the ‘negative resolution’ procedure. Regulations laid under this 
procedure become law at the point the Minister signs them, and will come into force on the day 
specified in the regulations (typically at least 21 days after being laid in Parliament). Under this 
procedure, both Houses of Parliament have a period of 40 days,[footnote 1] during which time they 
may consider a motion - or ‘prayer’ - to reject the Regulations. 


(iv) Monitoring, reviewing, and challenging adequacy 


Following the adoption of adequacy regulations in respect of a given country, they must be 
monitored and kept under periodic review, at intervals of not more than four years.[footnote 2] 
During this time, the Secretary of State may also amend or revoke UK adequacy regulations. 
Adapting adequacy decisions to evolving business and legal realities through regular review can 
help ensure the durability of those decisions. 


All UK adequacy regulations reflecting a decision taken by the UK government can be challenged 
in domestic courts by way of an application for judicial review. In the event that a challenge is 
successful, the adequacy regulations will be annulled. 


Alternative transfer mechanisms 


(i) Overview 


Alternative transfer mechanisms, also referred to as international transfer tools (ITTs), help to 
provide appropriate safeguards for international transfers of personal data to other countries in a 


way that ensures that the level of protection of individuals guaranteed by the UK GDPR is not 
undermined. They are primarily used to transfer personal data to other countries where it is not 
possible to rely on UK adequacy. They typically place obligations on both the data exporter and 
data importer to ensure that personal data is protected when it is transferred outside the UK. 
[footnote 3] 


The UK government is working with the ICO to ensure that UK businesses, and third and public 
sector organisations, have effective and economical mechanisms that provide appropriate 
safeguards for transferring personal data internationally. These mechanisms are, and will continue 
to be, supported by clear and pragmatic guidance which enables UK data controllers of all sizes to 
implement them. 


Transfer tools also provide the basis on which the UK government can develop interoperability with 
other international transfer frameworks. The UK government is working with international partners, 
including through the G7 and other fora, on global solutions to address the barriers to cross border 
data transfers. 


Case study: 


UK organisations of all sizes and across all sectors rely on various services like these from 
overseas, such as email marketing, online retail, and communication platforms like Zoom , and 
cloud storage in order to grow, collaborate, and innovate in a cost-effective manner. In an era of 
remote work, cross-border data transfers have enabled growth, productivity, innovation, and a 
strong and competitive market position for these companies. Data transfers are especially important 
for micro-, small-, and medium-sized businesses as it can open up overseas markets and supply 
chains, improve innovation and competitiveness, and build access to finance. 


For individuals, data transfers underpin services that mean we can shop far and wide when buying a 
car via Cazoo, help us and our children sleep better and think mindfully via Moshi , open up the 
sharing economy for items small and large via Fat Llama. UK companies like Revolut and Babylon 
empower fingertip access to our bank accounts and to healthcare services, respectively. 


Many of these services use cloud-based solutions. When UK consumers and businesses use their 
services, this is only possible because of data transfers from the UK. If we can remove barriers to 
these data flows, it means that such services can be provided faster, more reliably and securely, and 
cheaper. 


Where businesses and organisations routinely transfer around the world, adequacy may not always 
be the right tool for the job. We have a number of alternative transfer mechanisms - or transfer 
‘tools’ in our ‘toolkit’; - to ensure UK data is appropriately protected when it is transferred outside 
of the UK. 


The international data transfers ‘toolkit’ 
There are several mechanisms provided by the UK GDPR for the private sector, these include: 
¢ Standard and custom data protection clauses[footnote 4] 


¢ Binding Corporate Rules (BCRs)[footnote 5] 
* Codes of conduct[footnote 6] 


* Certification schemes[footnote 7] 
Options tailored to the specific needs of the public sector include: 


¢ Legally binding instruments between public authorities/ bodies[footnote 8] 
¢ Administrative arrangements between public authorities/ bodies.[footnote 9] 


(ii) Standard and custom data protection clauses 


Standard data protection clauses are ready-made contractual clauses designed to provide appropriate 
safeguards for transferring personal data to organisations in third countries. Both parties must sign 
up to these terms of use before data is transferred. 


Standard data protection clauses adopted by the European Commission before 31 December 2020 
continue to be effective for international transfers from the UK until they are replaced by new data 
protection clauses adopted by either the Secretary of State or the Information Commissioner. 
[footnote 10] 


Both the Information Commissioner and the Secretary of State have powers to issue new standard 
data protection clauses in accordance with Article 46(2)(c) and (d). S119A of DPA 2018 provides 
that the Information Commissioner may issue a document specifying a standard data protection 
clause which they consider to provide appropriate safeguards for the purposes of transferring 
personal data to a Third Country or an international organisation.[footnote 11] 


Before issuing this document, the Commissioner must consult appropriate persons, including with 
the Secretary of State, who is responsible for laying standard data protection clauses issued by the 
Information Commissioner before Parliament. There is then a 40-day period in which Parliament 
can bring a motion to debate the clauses. S17C of the Data Protection Act 2018 provides similar 
powers for the Secretary of State to directly specify, in regulations, standard data protection clauses. 
Such regulations will then need to be laid before Parliament and be subject to the negative 
resolution procedure. 


The Information Commissioner recently launched a consultation on new standard data protection 
clauses and international data transfers guidance, which are expected to be adopted at the end of 
2021. 


UK data controllers are also able to develop and use their own custom data protection clauses, 
subject to approval by the ICO. 


(iii) Binding Corporate Rules (BCRs) 


BCRs are a set of rules providing adequate safeguards that UK companies may use in order to 
lawfully transfer personal data to other companies outside the UK within the same group structure. 
They must be approved by the ICO. For further guidance on how to develop a BCR, please see the 
ICO’s website. 


Companies who held an EU approved BCR on 31 December 2020 are eligible for a UK BCR if 
relevant conditions are met by the end of June 2021, subject to the Information Commissioner’s 
approval.[footnote 12] 


(iv) Codes of conduct 


Data protection codes of conduct are sector-specific guidelines approved by the ICO that may be 
drawn up by trade associations and other representative bodies. These guidelines can address the 
specific data protection challenges shared by a certain sector or industry and better reflect the 
processing activities of the organisations signed up to the code. 


Codes of conduct can help both controllers and processors understand how to comply with the UK 
GDPR, and set a standard for good practice shared by all those adhering to the code. If a code of 
conduct provides for appropriate safeguards, then it is possible to rely on these to transfer personal 
data to controllers and processors established in other countries who have made binding and 
enforceable commitments to adhere to the code and to apply the appropriate safeguards. 


This mechanism is currently underutilised. We strongly encourage industry bodies to develop their 
own international codes of conduct and make full use of the mechanisms available in the UK 
GDPR. We are keen to speak to organisations that are considering the development of an ICO 
approved code of conduct for data sharing, that will also act as a safeguard for international 
transfers, or who are considering developing a new international code of conduct. Detailed guidance 
on how to develop an international code of conduct. 


(v) Certification schemes 


Certification schemes can help controllers or processors to demonstrate compliance with the UK 
GDPR. Certification schemes must be approved by the ICO and adhere to the criteria set out in ICO 
guidance on certification. Certification schemes may also be used to help with international 
transfers. 


As with codes of conduct, certification schemes are not currently widely used to support 
international transfers. We recognise the potential offered by this underutilised mechanism and are 
working to understand how the UK government can support the development of certification 
schemes for international transfers purposes. 
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